Skip to main content

This guidance defines cyber security, outlines your charity's legal obligations, and explains how to manage the risks of cyber attacks.

There are also additional resources available, including a cyber security assessment and checklist, as well as templates for your charity's use.

Cyber security

Cyber security is protecting your charity's electronic information from unauthorised access.

Cyber security applies to all electronic information, but if your charity handles personal or sensitive information, you must be particularly careful about how it is protected.

Some charities, due to a lack of resources or time, may not have considered cyber security. This is understandable, but it creates vulnerability.

Charities should make sure that staff and volunteers have a basic understanding of cyber security issues.

Personal and sensitive information

Personal information and sensitive information are defined in the Privacy Act 1988 (Cth) (the Privacy Act).

Personal information is information or an opinion about an identified person (or a person that can reasonably be identified), regardless of whether the information or opinion is true or recorded in a material form.

Sensitive information is a subset of personal information, and may include, for example, a person’s religious or philosophical beliefs, sexual orientation or health information.

For more on what constitutes personal information and sensitive information, see the key concepts in the Australian Privacy Principles guidelines.

The Privacy Act has requirements for the way personal information and sensitive information are collected and stored. The Office of the Australian Information Commissioner's (OAIC) Australian Privacy Principles guidelines has information about these requirements.

We also have a guide on managing people's information and data, which provides information for charities about collecting, storing and using the information and data they hold about people in a responsible way.

Legal obligations

At a general level, all charities registered with the ACNC must continue to be not-for-profit and pursue charitable purposes. They must also keep financial records, and report information annually – including financial information.

Most charities must also comply with the ACNC Governance Standards and, for charities operating overseas, the External Conduct Standards.

Depending on the location and nature of your charity’s operations, there may be other state, federal or overseas legislation with which your charity must comply. This means your charity may have legal obligations for the way it collects and stores information. This will depend on the location and nature of your charity’s operations.

You should consider getting legal advice to fully understand what legal obligations there may be for your charity.

Risks and possible consequences

It is not only large companies and government agencies that can fall victim to cyber attacks. Charities – even smaller ones – can be targeted too. Smaller charities can be especially vulnerable because they often have weaker defences.

Commons cyber security risks include:

  • unauthorised access to a device, network, account or system
  • viruses or other malicious software (malware) that can collect, change or delete information and spread throughout a network
  • fake emails or websites set up to trick someone into transferring funds or revealing sensitive information. Examples may include suspect links or email attachments, invoice fraud, or requests to change bank account details.

The consequences of an incident can be significant. They may include:

  • loss of crucial information
  • disruption to services
  • unauthorised changes to your charity’s information and systems
  • expensive costs to restore data and services
  • costs of notification and investigation (including legal costs)
  • costs arising from the attack itself, or to recover from the attack
  • regulatory action and penalties
  • loss of trust and reputation.

When a charity has inadequate security for its computer systems, it is more vulnerable to attacks and less likely to be able to detect them. This can then make responding to attacks more difficult and can increase the time and cost of recovery.

Protecting your charity from cyber attacks

Although everyone in a charity has an important part to play in protecting against cyber attacks, the ultimate responsibility is with the charity’s Responsible People.

Responsible People must consider the circumstances of their charity and make sure that they can identify and manage relevant cyber security risks.

How charities manage cyber security risks will vary significantly, but there are four steps that every charity can take to help protect against cyber incidents:

  • Identify and assess the risks.
  • Prevent incidents and mitigate risks.
  • Engage people in the charity and relevant third parties to help manage risks.
  • Take action and respond effectively when concerns, suspicion or complaints arise.

Most of these actions are simple and most charities will be able to do them. But if you think your charity doesn’t have anyone available with enough knowledge and experience, you may need to seek outside help.

Creating an information asset register can help your charity identify the information assets it has, and assess its importance to your charity’s operation.


An information asset register can help you identify:

  • the types of information assets your charity has
  • valuable information assets that need to be prioritised
  • where the information assets are stored or held
  • assets that pose significant risk
  • who has access to assets, and which people and positions are responsible for particular information assets.

Your charity can use our information asset register template to identify and record information about your charity’s critical assets.


An information asset register can also focus your charity’s attention on:

  • the relative value or importance of each of the assets to your charity’s operation
  • the impact of a cyber incident on the assets, and business continuity.

You can use the information asset register to focus your charity’s attention and resources on protecting its information assets.

In an information asset register, assets can be ‘grouped’ – for example, by asset type or value to the charity.

A register can help clarify how your charity protects assets, as well as help you conduct a risk assessment for your charity that:

  • identifies risks
  • considers potential incidents
  • analyses the likelihood and effect of an incident
  • explores ways to manage risks or respond to incidents.

Your charity should record and retain its information asset register, as well as the findings of any risk assessments it does. The register should be updated when appropriate, and risk assessments reviewed or revisited regularly.

There are many practical things your charity can do to mitigate risks and prevent incidents.

  • Ensure software and operating systems are updated regularly: Regular updates will fix known security vulnerabilities in software.
  • Limit access: Only allow staff and volunteers to access the information they need for their roles.
    • This can be achieved through the use of security groups or restricting access to applications accessible through Software as a Service (SaaS) cloud-based arrangements.
    • You should also restrict the number of people that have administrator access or accounts.
  • Use multi-factor authentication: Multi-factor authentication requires users enter more than just a password when they log in to your charity’s systems.
    • This enhances security and helps provide an extra layer of protection against security breaches caused by stolen or weak passwords.
    • Multi-factor authentication should be used wherever possible, particularly for access to critical or sensitive information such as financial or health information.
  • Protect devices: Use antivirus software to protect all devices. Modern antivirus software can find, contain and remove viruses.
    • Scans should be automatic and regularly scheduled so your charity isn’t reliant on users remembering to conduct manual scans.
    • In addition, ensure your antivirus software is kept up-to-date, and turn on automatic updates if available.
  • Protect networks: Use firewalls for your charity’s network. This is software that can prevent unauthorised access to a network, and unauthorised use of the network by your charity’s staff and volunteers.
  • Use only authorised resources: Only allow approved applications on your charity’s computer and phones, and block access to inappropriate websites and downloads.
    • These restrictions can be enforced through group policy objects, or technology like Applocker.
  • Use passwords effectively:
    • Make sure those who use the charity’s systems have unique passwords to protect every account, device and system. System users should not re-use passwords.
    • If your charity provides devices to staff and volunteers, ensure they set their own new and unique password.
    • Use a passphrase, which uses four or more random words, as your password. A strong passphrase should be long, unpredictable and unique.
  • Make backups: Ensure your charity has scheduled regular automatic backups for its important information. Charities increasingly use the ‘cloud’ (a shared computer and storage resource service that is accessed through the internet) to protect their information, rather than a physical device. This can be a way to securely store backups outside of the charity’s physical location.

For more information on how to manage the risk of cyber threats, see the Australian Signals Directorate’s Essential Eight mitigation strategies.

It is a good idea for your charity’s staff and volunteers to have at least basic training in cyber security and data privacy.

The training, at a minimum, should cover common cyber security risks and their mitigations, and outline the ways to collect and handle personal information securely.

Your charity should have a plan for responding to cyber security issues and data breaches. We have a template plan for responding to data breaches below that your charity can use.

Everyone in the charity should be familiar with the plan and have access to it if they need it.

Your charity could use the following steps to manage, respond and address a data breach or other cyber security issue:

  • Identify and contain: Understand what is happening and, if possible, take steps to prevent other systems, devices or data from being affected.
  • Investigate: Find out the nature of the issue, which devices and systems are affected, and what the risks might be.
  • Assess the risks and respond: Work out what harm has been done, the effects of the harm, and what could go wrong from here.
  • Act and notify: Decide on the priorities for protecting individuals and organisations from further harm. In the case of a data breach, follow the OAIC notification guidelines to inform the regulator and other parties if required.
  • Review: Look over your charity’s policies, procedures and systems to identify any changes that would reduce the likelihood and consequences of similar issues occurring again, and then implement these changes.

Case studies

Cyber security resources

After reading this guide, you can check your understanding by taking our cyber security assessment. We also have a checklist that your charity can use to ensure it has policies and procedures in place to manage cyber security risks.

You do not need to submit the assessment or checklist to the ACNC – they are optional resources designed to help you measure your understanding of cyber security, and to identify areas for further training or improvement.

We also have an information asset register template and a template plan for responding to a data breach that your charity can use as a guide.

Was this page useful?
Why not?